CVE-2026-7279

High

Published: 28 April 2026

Published

28 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 3.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7279 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Org (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL Search Order Hijacking (T1038); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-14 (Signed Components).

Threat & Defense at a Glance

What attackers do: exploitation maps to DLL Search Order Hijacking (T1038) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the DLL hijacking flaw in AVACAST through timely identification, reporting, and application of vendor patches or updates.

CM-14 Signed Components good match

prevent

Requires digital signature verification of software components like DLLs prior to installation or execution, blocking malicious unsigned or tampered DLLs from loading.

AC-6 Least Privilege good match

prevent

Enforces least privilege to restrict low-privileged authenticated users from writing to the specific directory where AVACAST searches for and loads DLLs.

MITRE ATT&CK Enterprise TechniquesAI

T1038 DLL Search Order Hijacking Persistence

Windows systems use a common method to look for required DLLs to load into a program.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The CVE describes a DLL hijacking vulnerability (CWE-427) allowing local authenticated attackers to place a malicious DLL in a searched directory for arbitrary code execution with system privileges, directly mapping to DLL Search Order Hijacking (T1038) and enabling Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

AVACAST developed by eMPIA Technology, has a DLL Hijacking vulnerability, allowing authenticated local attackers to place a malicious DLL in a specific directory, resulting in arbitrary code execution with system privileges when the system loads the DLL.

Deeper analysisAI

CVE-2026-7279 is a DLL hijacking vulnerability (CWE-427) in AVACAST, software developed by eMPIA Technology. Published on 2026-04-28, it enables authenticated local attackers to place a malicious DLL in a specific directory, which the software then loads, resulting in arbitrary code execution with system privileges. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact with low complexity and requiring only local access and low privileges.

Local authenticated users can exploit this vulnerability by dropping a malicious DLL into the targeted directory that AVACAST searches during its execution. Upon loading the DLL, the attacker achieves arbitrary code execution at system privilege level, potentially allowing full control over the affected system, including data theft, persistence, or further lateral movement.

Advisories from TWCERT/CC provide details on mitigation, available at https://www.twcert.org.tw/en/cp-139-10885-02d83-2.html and https://www.twcert.org.tw/tw/cp-132-10884-f9c21-1.html.